Don’t rely on Cloud vendors for PCI compliance: Report

Credit card transactions should be retained on a secure server advises Pure Hacking

Hosting data in a public Cloud may save money but companies should investigate if payment card industry (PCI) compliance is covered first, according to security consultant firm, Pure Hacking.

PCI standards were created by Visa, MasterCard and other major credit card brands and are administered by the Payment Card Industry Data Security Standard (PCI DSS).

All companies that accept payment cards are required to implement the 12 high-level security controls prescribed under the standards. Larger companies face significantly tougher compliance requirements than smaller firms.

Level 1 merchants — companies that process more than six million credit card transactions a year — must engage a qualified security assessor.

Pure Hacking chief technology officer, Ty Miller, said in a statement that the big issue around PCI compliance is the third party model used for Cloud computing infrastructure.

“Organisations externalise their information to the Cloud and it may be extremely difficult to validate the PCI compliance levels of the individual Cloud provider,” he said.

“In reality, some public Clouds may not provide adequate security controls to meet these compliance standards.”

Another issue is malicious attacks on the rise with credit card information and the identity of card holders being a valuable target for hackers.

“Organisations should consider the cost saving benefits of moving to Cloud infrastructure for daily operations but retain the security of credit card transactions across a secure server or third party processor,” Miller said.

Miller has some advice for companies wanting to move credit card information into a public Cloud.

The first is to check if the Cloud vendor can guarantee compliance as Miller warned that enterprises should not rely on marketing documents and sales pitches.

“Cloud providers may know that they are not PCI compliant and could be relying on your trust,” he said.

Enterprises should also assess the budget requirements for testing PCI compliance and the security of customer credit card data then allocate appropriate levels of funding.

For a more in depth look at Cloud security, read the Computerworld Australia series looking at the issues surrounding Cloud security and reliability.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the Computerworld newsletter!

Error: Please check your email address.

Tags Pure HackingPCI compliancecloud security

More about PurePure HackingVisa

CIO
ARN
Techworld
CMO